- The U.S. Securities and Exchange Commission (SEC) has passed new rules requiring companies to disclose substantive cybersecurity incidents and detailed information about their cybersecurity risk management and governance strategies yearly.
- The adoption of these rules underscores the need for transparency to guide investor decisions as poor cybersecurity controls might expose investors to elevated risk.
- Mandatory yearly disclosures are set to begin for annual reports corresponding to fiscal years ending after December 15, 2023 with incident disclosures required from December 18, 2023 onwards. Smaller reporting firms will, however, have an extra 180-day grace period before the breach disclosure rules apply to them.
- The rules are designed to guide organizations on the best strategies for disclosing cybersecurity risks to investors and regulatory authorities.
- Furthermore, companies are encouraged to adopt frameworks that will help them determine the potential impacts of cyber incidents.
The SEC’s cybersecurity disclosure requirements will have significant implications for businesses. An organization with weak or non-existent cybersecurity controls may pose more risk to investors. Furthermore, a company experiencing a major cybersecurity incident may face a variety of short and long-term losses. Understanding the specifics of the SEC’s final disclosure requirements, recognizing factors that can impact the materiality of a cyber incident, and identifying strategies for compliance with the regulation are all critical steps for companies to successfully navigate these new SEC regulations. The introduction of these rules highlight the overall increasing importance of cybersecurity risk management in protecting the interest of all stakeholders.
By enforcing these rules, the SEC aims to provide pertinent information that will equip investors to make informed decisions, which in turn, promotes transparency in the investment market.